Backdoor that threatens power stations to be purged from control system

A secret backdoor account is being removed from routers used by power utilities.

This RSG2100 device contains a backdoor that hackers could used to gain unauthorized access to computer systems that control electric substations and other critical infrastructure.

Image courtesy of RuggedCom

Mission-critical routers used to control electric substations and other critical infrastructure are being updated to remove a previously undocumented backdoor that could allow vandals to hijack the devices, manufacturer RuggedCom said late Friday.

The announcement by the Ontario, Canada-based company comes two days after Ars reported that the company's entire line of devices running its Rugged Operating System contained a backdoor with an easily determined password. The backdoor, which can't be disabled, had not been publicly acknowledged by the company until now, leaving the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear vulnerable to sabotage that could affect the safety of huge populations of people.

The previously secret account uses the login ID of "factory" and a password that's recovered by plugging the MAC, or media access control, address of the targeted device into a simple Perl script. The backdoor on devices running early versions of Rugged OS could can be accessed over the Internet using secure Web browser connections, secure shell, telnet, remote shell, or serial console. On versions 3.3 and higher of the OS only telnet, remote shell, and serial console could can be used. Raising the risk of unauthorized access, many log in screens display the device's MAC address before a user enters valid credentials. Telnet and rsh can be disabled in all versions greater than 3.3.

"In addition to eliminating the factory backdoor, telnet and rsh services will be disabled by default," the company's statement read. "This change will result in newly shipped ROS devices having telnet and rsh disabled. It also results in telnet and rsh being disabled after loading factory default settings. This change has no impact on the operational status of telnet or rsh after a firmware upgrade."

RuggedCom devices are frequently installed in electric substations, traffic control cabinets, and other locations where dust, extreme heat and cold, and other difficult environmental conditions take a toll on hardware. In addition to being housed in areas that are difficult to physically access, the devices are frequently used to control mission-critical equipment, creating a hardship for those who must update.

"If users are running non-redundant networks, this is probably going to require taking their process offline," K. Reid Wightman, an industrial control systems security expert for Digital Bond, wrote in an email. "So it's not the sort of thing that most users can patch right away—they're going to have to patch it during their normal manufacturing patching cycle, which might be a year. That's why it's so important for vendors to get their development process right and not make these kinds of amateur mistakes."

Compounding the difficulty of updating, the changes will be made to Rugged OS versions 3.7 and higher, a limitation that will require users of older systems to upgrade to newer versions. The updates will be available through RuggedCom's customer support channel. The company said it will issue another bulletin with additional details in a few weeks.

The company thanked independent security researcher Justin W. Clarke for reporting the vulnerability. Clarke said he discovered the backdoor after examining used RuggedCom hardware he bought on eBay.

19 Reader Comments

What is it about companies that makes them refuse to patch privately disclosed vulnerabilities until the issue winds up in the press. Do they not realize that's where it's inevitably headed? 'Sitting on it' can cripple consumer confidence if it matters to the customer base, as companies like RSA are now aware.

I'd guess most of these systems will stay unpatched. The known sin of taking production offline vs the possible risk of an attacker will likely tend towards "Keep stuff running" - as it does in most process control systems.

I understand the desire for vendors to have backdoor access into devices for maintenance after the guy who set them up leaves/for password resets/etc. Can you please make it require physical access, at least? A serial port with a backdoor (clearly described in the manual) is very different from a telnet backdoor! Ideally, something that requires physical access at the time of access - similar to the reset button on most home routers. No idea how it's set up? Great, if I'm holding it, I can reset it fully. Otherwise, I can't. Serial ports are often attached to serial multiplexers.

Compounding the difficulty of updating, the changes will be made to Rugged OS versions 3.7 and higher, a limitation that will require users of older systems to upgrade to newer versions. The updates will be available through RuggedCom's customer support channel. The company said it will issue another bulletin with additional details in a few weeks.

Great sales pitch. "Buy our newer products or be left with a critical backdoor into your system!"

What is it about companies that makes them refuse to patch privately disclosed vulnerabilities until the issue winds up in the press. Do they not realize that's where it's inevitably headed? 'Sitting on it' can cripple consumer confidence if it matters to the customer base, as companies like RSA are now aware.

Why do people avoid paying parking fines until they lose their car or license privileges.

I'm sure internally the developers have continued to bitch about this to management and warned management several times but management continues to argue that it is a business requirement. Internally, I'll bet the developers have a 'pet' name for this particular management mistake.

"The backdoor on devices running early versions of Rugged OS could be accessed over the Internet using secure Web browser connections, secure shell, telnet, remote shell, or serial console. On versions 3.3 and higher of the OS only telnet, remote shell, and serial console could be used."

Are you kidding me? This company clearly has no idea what they are doing at all. Any mission critical (or anyone really) operation which purchases this equipment deserves exactly what they get for running it. So they remove their undocumented insecure backdoor fromt the product, however previously they've updated it to ONLY support telnet, RSH, and serial?? WTF? They actually removed SSH support. Absolutely NOTHING on ANY network should be running telnet or RSH, let alone mission critical infrastructure. Period.

"The backdoor on devices running early versions of Rugged OS could be accessed over the Internet using secure Web browser connections, secure shell, telnet, remote shell, or serial console. On versions 3.3 and higher of the OS only telnet, remote shell, and serial console could be used."

Are you kidding me? This company clearly has no idea what they are doing at all. Any mission critical (or anyone really) operation which purchases this equipment deserves exactly what they get for running it. So they remove their undocumented insecure backdoor fromt the product, however previously they've updated it to ONLY support telnet, RSH, and serial?? WTF? They actually removed SSH support. Absolutely NOTHING on ANY network should be running telnet or RSH, let alone mission critical infrastructure. Period.

The next time that any two (or more) advanced countries go to war, we're going to see crazy amounts of cyber warfare. The balance between offense and defense is tilted so heavily towards offense that we're certain to see that imbalance be exploited heavily.

>> The previously secret account uses the login ID of "factory" and a password that's recovered by plugging the MAC, or media access control, address of the targeted device into a simple Perl script... >> Raising the risk of unauthorized access, many log in screens display the device's MAC address before a user enters valid credentials.

While an unforgivable vendor choice; anybody using things like this and not restricting those protocols to management vlans without default gateways at the very minimum deserves whatever they get, imo.

I'm not sure they removed ssh support, they may have disabled the backdoor when using ssh but left it enabled for telnet since no one would allow telnet access over the Internet!

There are obviously some situations that make a backdoor useful for support engineers but it should need physical access to enable or only work for 5 minutes after boot.

yeah i think what happend was that one engineer that thought he was doing everyone a favor, probably ended up pissing all his engineering friends off who were using the back door to get their job done faster

Governments claim to be concerned about potential infrastructure terrorism, and would seem to be a stakeholder with a lot of influence over recalcitrant SCADA suppliers.

It doesn't take the resources of a nation-state to disassmble firmware to find vendor backdoors in specialty systems.

Boberz wrote:

While an unforgivable vendor choice; anybody using things like this and not restricting those protocols to management vlans without default gateways at the very minimum deserves whatever they get, imo.

Apparently anyone buying from such vendors equally deserves anything they get, then. People who want backdoors can put in their own backdoor accounts, but unremovable backdoors present no such option unless the code is open source.

Man, that dude has some serious steel plating on his front door. And not to mention the titanium alloy nano carbonated super plasma injected into every brick making it impermeable to almost everything other than a solar flare from 100 foot away.

Shame he leaves his backdoor key under the mat though, along with deactivation codes for the alarm.

The fact they touch the internet is pure fail. You may think you have something completely locked down, but there are people out there that know it's not. Those people are considered a threat even if they currently have no intention of performing any malicious activity. If Joe Schmuck demands he be able to play FarmVille on the workstations he's using to monitor the plant's activities, then his position needs to be re-evaluated. Or at most, assigned a workstation on a separate, internet facing network.